scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Generation of Secure and Reliable Honeywords, Preventing False Detection

TL;DR: This work proposes new and more practical honeyword generation techniques, which achieve ‘approximate flatness’, implying that the honeywords generated using these techniques are indistinguishable from passwords with high probability, and proposes a new attack model called ‘Multiple System Intersection attack considering Input’.
Abstract: Breach in password databases has been a frequent phenomena in the software industry. Often these breaches go undetected for years. Sometimes, even the companies involved are not aware of the breach. Even after they are detected, publicizing such attacks might not always be in the best interest of the companies. This calls for a strong breach detection mechanism. Juels et al. (in ACM-CCS 2013) suggest a method called ‘Honeywords’, for detecting password database breaches. Their idea is to generate multiple fake passwords, called honeywords and store them along with the real password. Any login attempt with honeywords is identified as a compromise of the password database, since legitimate users are not expected to know the honeywords corresponding to their passwords. The key components of their idea are (i) generation of honeywords, (ii) typo-safety measures for preventing false alarms, (iii) alarm policy upon detection, and (iv) testing robustness of the system against various attacks. In this work, we analyze the limitations of existing honeyword generation techniques. We propose a new attack model called ‘Multiple System Intersection attack considering Input’. We show that the ‘Paired Distance Protocol’ proposed by Chakraborty et al., is not secure in this attack model. We also propose new and more practical honeyword generation techniques and call them the ‘evolving-password model’, the ‘user-profile model’, and the ‘append-secret model’. These techniques achieve ‘approximate flatness’, implying that the honeywords generated using these techniques are indistinguishable from passwords with high probability. Our proposed techniques overcome most of the risks and limitations associated with existing techniques. We prove flatness of our ‘evolving-password model’ technique through experimental analysis. We provide a comparison of our proposed models with the existing ones under various attack models to justify our claims.
Citations
More filters
Journal ArticleDOI
TL;DR: In this article , a honeyword-based defense strategy was proposed to prevent the latest developed server-side threat on the IoT domain's password, which is one of the most well-known authentication methods in accessing many IoT devices.
Abstract: Password is one of the most well-known authentication methods in accessing many Internet of Things (IoT) devices. The usage of passwords, however, inherits several drawbacks and emerging vulnerabilities in the IoT platform. However, many solutions have been proposed to tackle these limitations. Most of these defense strategies suffer from a lack of computational power and memory capacity and do not have immediate cover in the IoT platform. Motivated by this consideration, the goal of this article is fivefold. First, we analyze the feasibility of implementing a honeyword-based defense strategy to prevent the latest developed server-side threat on the IoT domain’s password. Second, we perform thorough cryptanalysis of a recently developed honeyword-based method to evaluate its advancement in preventing the threat and explore the best possible way to incorporate it in the IoT platform. Third, we verify that we can add a honeyword-based solution to the IoT infrastructure by ensuring specific guidelines. Fourth, we propose a generic attack model, namely, matching attack utilizing the compromised password file to perform the security check of any legacy-UI approach for meeting the all essential flatness security criterion. Last, we compare the matching attack’s performance with the corresponding one of a benchmark technological methods over the legacy-UI model and confirm that our attack has 5%–22% more vulnerable than others.

3 citations

Journal ArticleDOI
TL;DR: This article analyzes the feasibility of implementing a honeyword-based defense strategy to prevent the latest developed server-side threat on the IoT domain’s password and proposes a generic attack model utilizing the compromised password file to perform the security check of any legacy-UI approach for meeting the all essential flatness security criterion.
Abstract: Password is one of the most well-known authentication methods in accessing many Internet of Things (IoT) devices. The usage of passwords, however, inherits several drawbacks and emerging vulnerabilities in the IoT platform. However, many solutions have been proposed to tackle these limitations. Most of these defense strategies suffer from a lack of computational power and memory capacity and do not have immediate cover in the IoT platform. Motivated by this consideration, the goal of this paper is fivefold. First, we analyze the feasibility of implementing a honeyword-based defense strategy to prevent the latest developed server-side threat on the IoT domain’s password. Second, we perform thorough cryptanalysis of a recently developed honeyword-based method to evaluate its advancement in preventing the threat and explore the best possible way to incorporate it in the IoT platform. Third, we verify that we can add a honeyword-based solution to the IoT infrastructure by ensuring specific guidelines. Forth, we propose a generic attack model, namely matching attack utilizing the compromised password-file to perform the security check of any legacy-UI approach for meeting the all essential flatness security criterion. Last, we compare the matching attack’s performance with the corresponding one of a benchmark technological methods over the legacy-UI model and confirm that our attack has 5%~22% more vulnerable than others.

3 citations

Journal ArticleDOI
TL;DR: This research has proved that every honeyword generation method has many weaknesses points.
Abstract: Abstract Honeyword system is a successful password cracking detection system. Simply the honeywords are (False passwords) that are accompanied to the sugarword (Real password). Honeyword system aims to improve the security of hashed passwords by facilitating the detection of password cracking. The password database will have many honeywords for every user in the system. If the adversary uses a honeyword for login, a silent alert will indicate that the password database might be compromised. All previous studies present a few remarks on honeyword generation methods for max two preceding methods only. So, the need for one that lists all preceding researches with their weaknesses is shown. This work presents all generation methods then lists the strengths and weaknesses of 26 ones. In addition, it puts 32 remarks that highlight their strengths and weaknesses points. This research has proved that every honeyword generation method has many weaknesses points.

2 citations

Book ChapterDOI
01 Jan 2022
TL;DR: Wang et al. as mentioned in this paper combined the deep learning and rule-based password attacks to propose a new honeywords generation method called GHDR, which can better resist Top-PW attacks than the state-of-the-art methods.
Abstract: AbstractHoneywords is a simple and efficient method that can help the authentication server to detect password leaks. The indistinguishability between generated honeywords and real passwords is the key to the honeywords generation methods. However, the current honeywords generation methods are difficult to achieve that and are vulnerable to the Top-PW attack.In order to improve the security of the honeywords generation method, this paper combines the deep learning and rule-based password attacks to propose a new honeywords generation method called GHDR. The method first builds a deep learning model to learn whether the rules used in the rule-based password attack are effective for different passwords. When a user sets a password, effective rules will be selected by the model according to the entered password, and then these selected rules will be used to transform the user’s password to generate honeywords. Experimental results show that the proposed honeywords generation method can better resist Top-PW attacks than the state-of-the-art methods.KeywordsHoneywordsDeep learningPassword attackTop-PW attack

1 citations

Dissertation
01 Oct 2017
TL;DR: This thesis is devoted to the secure design of password hashing algorithm and the analysis of existing password-based authentication systems and provides a cryptographic module based approach for password hashing.
Abstract: Passwords are the most widely deployed means of human-computer authentication since the early 1960s. The use of passwords, which are usually low in entropy, is delicate in cryptography because of the possibility of launching an offline dictionary attack. It is ever challenging to design a password-based cryptosystem that is secure against this attack. Password-based cryptosystems broadly cover two areas 1) Password-based authentication, e.g., password hashing schemes and 2) Password-based encryption specifically used in password-based authenticated key exchange (PAKE) protocols. This thesis is devoted to the secure design of password hashing algorithm and the analysis of existing password-based authentication systems. The frequent reporting of password database leakage in real-world highlights the vulnerabilities existing in the current password based constructions. In order to alleviate these problems and to encourage strong password protection techniques, a Password Hashing Competition (PHC) was held from 2013 to 2015. Following the announced criteria, we propose a password hashing scheme Rig that fulfills all the required goals. We also present a cryptanalytic technique for password hashing. Further, we focus on the improvement of a password database breach detection technique and on the analysis of Universal 2nd Factor protocol. This report tries to list and summarize all the important results published in the field of password hashing in recent years and understand the extent of research over password-based authentication schemes. Our significant results are listed below. 1. Following the design requirements for a secure password hashing scheme as mentioned at the PHC [16], we present our design Rig which satisfies all required criteria. It is a memory hard and best performing algorithm under cache-timing attack resistant category. As part of the results, we present the construction explaining the design rationale and the proof of its collision resistance. We also provide the performance and security analysis. 2. In practice, most cryptographic designs are implemented inside a Cryptographic module, as suggested by National Institute of Standards and Technology (NIST) in a standard, FIPS 140. A cryptographic module has a limited memory and this makes it challenging to implement a password hashing scheme (PHS) inside it. We provide a cryptographic module based approach for password hashing. It helps to enhance the security of the existing password-based authentication framework. We also discuss the feasibility of the approach considering the submissions of PHC. 3. The increasing threat of password leakage from compromised password hashes demands a resource consuming algorithm to prevent the precomputation of the password hashes. A class of password hashing designs which ensure that any reduction in the memory leads to exponential increase in their runtime are called Memory hard designs. Time Memory Tradeoff (TMTO) technique is an effective cryptanalytic approach for such password hashing schemes (PHS). However, it is generally difficult to evaluate the “memory hardness” of a given PHS design. We present a simple technique to analyze TMTO for any password hashing schemes which can be represented as a directed acyclic graph.

1 citations


Cites background from "Generation of Secure and Reliable H..."

  • ...The list of publications and submissions presented on page IV, [59, 58, 60, 26, 61] form the basis of this thesis....

    [...]

References
More filters
Proceedings ArticleDOI
08 May 2007
TL;DR: The study involved half a million users over athree month period and gets extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site.
Abstract: We report the results of a large scale study of password use andpassword re-use habits. The study involved half a million users over athree month period. A client component on users' machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users' online experience.

1,068 citations


"Generation of Secure and Reliable H..." refers background in this paper

  • ...Humans have a tendency to choose the same password for multiple websites [17]....

    [...]

  • ...This attack is also motivated by the tendency of humans to choose the same password for multiple websites [17]....

    [...]

  • ...It is common human tendency to use the same password for multiple sites [17]....

    [...]

Journal ArticleDOI
Robert Morris1, Ken Thompson1
TL;DR: The present design of the password security scheme was the result of countering observed attempts to penetrate the system and is a compromise between extreme security and ease of use.
Abstract: This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.

1,015 citations


"Generation of Secure and Reliable H..." refers methods in this paper

  • ...‘Dictionary attack’ [2] is the most widely used attack technique for retrieving a password from its hash value....

    [...]

Book ChapterDOI
17 Aug 2003
TL;DR: A new way of precalculating the data is proposed which reduces by two the number of calculations needed during cryptanalysis and it is shown that the gain could be even much higher depending on the parameters used.
Abstract: In 1980 Martin Hellman described a cryptanalytic time-memory trade-off which reduces the time of cryptanalysis by using precalculated data stored in memory. This technique was improved by Rivest before 1982 with the introduction of distinguished points which drastically reduces the number of memory lookups during cryptanalysis. This improved technique has been studied extensively but no new optimisations have been published ever since. We propose a new way of precalculating the data which reduces by two the number of calculations needed during cryptanalysis. Moreover, since the method does not make use of distinguished points, it reduces the overhead due to the variable chain length, which again significantly reduces the number of calculations. As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (237) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used.

524 citations


"Generation of Secure and Reliable H..." refers background in this paper

  • ...Use of salt prevents specialized attacks like the rainbow table attack [3], when considering a large collection of hashes....

    [...]

Proceedings ArticleDOI
17 May 2009
TL;DR: This paper discusses a new method that generates password structures in highest probability order by automatically creating a probabilistic context-free grammar based upon a training set of previously disclosed passwords, and then generating word-mangling rules to be used in password cracking.
Abstract: Choosing the most effective word-mangling rules to use when performing a dictionary-based password cracking attack can be a difficult task In this paper we discuss a new method that generates password structures in highest probability order We first automatically create a probabilistic context-free grammar based upon a training set of previously disclosed passwords This grammar then allows us to generate word-mangling rules, and from them, password guesses to be used in password cracking We will also show that this approach seems to provide a more effective way to crack passwords as compared to traditional methods by testing our tools and techniques on real password sets In one series of experiments, training on a set of disclosed passwords, our approach was able to crack 28% to 129% more passwords than John the Ripper, a publicly available standard password cracking program

491 citations


"Generation of Secure and Reliable H..." refers methods in this paper

  • ...The work [24] suggests a method to compute the probability based on the frequency of each token in the password....

    [...]

  • ...quencies of each password enlisted in an existing database and also computes the frequency of each individual tokens (alphabets-strings, digitsstrings, special-characters-strings) of the password following the technique suggested in [24]....

    [...]

  • ...To match the frequency considering the tokens, we follow the technique proposed in [24], where the probability of the honeyword is the product of the probabilities of the tokens used to derive it....

    [...]

Journal ArticleDOI
TL;DR: Five design principles help provide insight into the tradeoffs among different possible designs in the Multics system and several known weaknesses in the current protection mechanism design are discussed.
Abstract: The design of mechanisms to control the sharing of information in the Multics system is described. Five design principles help provide insight into the tradeoffs among different possible designs. The key mechanisms described include access control lists, hierarchical control of access specifications, identification and authentication of users, and primary memory protection. The paper ends with a discussion of several known weaknesses in the current protection mechanism design.

444 citations


"Generation of Secure and Reliable H..." refers background in this paper

  • ...User selected passwords are mostly predictable, since humans have a tendency to choose non-random and easy to remember passwords [1]....

    [...]